Error Handling Flashcards
Testing for Error Codes
These codes reveal a lot of information about databases, bugs, and other technological components directly linked with web applications.
Approach - Google hacking ○ Locate errors that disclose information - Send custom requests to web server ○ Force specific errors types
Error Types
- Web Server Errors - Application Server Errors - Database Errors
Remediation
- Remove the server information from the error responses
Web Server Errors
Can provide useful information like:
- OS
- Apache version
- PHP version
- OpenSSL version
HTTP Error Codes
- 400 - 404 - 408 - 501 - 505
HTTP Status Code:
400 Bad Request
The request could not be understood by the server due to invalid syntax.
The client SHOULD NOT repeat the request without modifications.
HTTP Status Code:
404 Not Found
The server has not found anything matching the Request-URI.
No indication is given of whether the condition is temporary or permanent.
This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
In the browser, this means the URL is not recognized.
In an API, this can also mean that the endpoint is valid but the resource itself does not exist.
HTTP Status Code:
408 Request Timeout
The client did not produce a request within the time that the server was prepared to wait.
It means that the server would like to shut down this unused connection.
The client MAY repeat the request without modifications at any later time.
Also, note that some servers merely shut down the connection without sending this message.
HTTP Status Code:
501 Not Implemented
The server does not support the functionality required to fulfill the request.
The request method is not supported by the server and cannot be handled.
The only methods that servers are required to support (and therefore that must not return this code) are GET and HEAD.
HTTP Status Code:
505 HTTP Version Not Supported
The HTTP version used in the request is not supported by the server.
The response SHOULD contain an entity describing why that version is not supported and what other protocols are supported by that server.
Application Server Errors
Errors returned by the application itself.
Can provide server paths, installed libraries, and application versions.
Database Errors
Errors returned by the Database System when there is a problem with the query or the connection.
Can provide Database server IPs, tables, columns, and login details.
Testing for Stack Traces
The stack trace is a list of the functions in the call stack at the point an exception is triggered.
The stack trace reveals sensitive information.
Attackers attempt to generate these stack traces by tampering with the input to the web application with malformed HTTP requests and other input data.